Saturday, August 17, 2013

Snowden leak contradicts Snowden's assertions

By now you've probably heard about the latest Snowden leak published by Bart Gellman in the Washington Post. It is a report issued by SID Compliance and Oversight (the agency tasked with producing compliance reports on FISA implementation) on the NSA. With a screaming headline about "thousands of violations a year" sucking up most of the reaction to this report, it seems to me that a lot of folks are missing how this particular leak contradicts at least one of Snowden's assertions.

Let's go back to what he said in the online chat The Guardian hosted just after Snowden had "outed" himself as the leaker.

...audits are cursory, incomplete, and easily fooled by fake justifications. For at least GCHQ, the number of audited queries is only 5% of those performed.

I'll admit that I had to google GCHQ to find out what it is...the UK's version of the NSA. I suppose that Snowden's intent in referring to them was to suggest that - like the UK - the NSA only audits 5% of the queries performed. With this latest release by Gellman, we know that to be false. As a matter of fact, what this document shows is that rather than being cursory and incomplete, SID audits are remarkably thorough.

In Glenn Greenwald's report on XKEYSCORE (the program the NSA uses to conduct these queries), he repeats a similar claim by Snowden.

Some searches conducted by NSA analysts are periodically reviewed by their supervisors within the NSA. "It's very rare to be questioned on our searches," Snowden told the Guardian in June...

Regardless of what you make of these "violations," one has to assume that either Snowden didn't know about the oversight being conducted on these queries (hard to imagine since he's the one who leaked this report to Gellman and Greenwald said that Snowden thoroughly reviewed everything he leaked) or he was lying. It is therefore important to note how this story has morphed from its early form of hysteria. Right out of the gate, Snowden made an explosive claim.

I, sitting at my desk could wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal email.

Then in that on-line chat at The Guardian, he equivocated a bit.

...in general, the reality is this: if an NSA, FBI, CIA, DIA, etc analyst has access to query raw SIGINT databases, they can enter and get results for anything they want. Phone number, email, user id, cell phone handset id (IMEI), and so on - it's all the same. The restrictions against this are policy based, not technically based, and can change at any time.

Here he is suggesting that there are policies that prohibit an analyst from wiretapping anyone. But his qualification is what I quoted above...that audits on those policies are cursory, incomplete and rare. Now we know that is not true. So the goalposts have been moved once again.

Duly noted. Please proceed, Mr. Snowden.

P.S. In reviewing some of Mr. Snowden's early statements, I watched this video again.

I'll just note that at approximately 3:50 he makes the now totally discredited claim about NSA having "direct access" to internet company's systems. But its what he says at about 4:50 that I find incredible for anyone who has even cursory knowledge of the internet - much less a "systems administrator."

I grew up with the understanding that the world I lived in was one where people enjoyed the freedom to communicate with each other in privacy without it being monitored...without it being measured or analyzed or sort-of judged by these shadowy figures and systems anytime they mentioned anything that travels across public lines. I think a lot of people of my generation - anybody who grew up with the internet - that's their understanding.

I'm really trying to wrap my head around that one. He's talking about "privacy" of information that travels across "public" lines. It seems that he has absolutely no awareness of the contradiction. And of course when he talks about those "shadowy figures and systems," he wants us to only think about the government and not the 1,500 data points on 700 million people that Acxiom is collecting to distribute to its corporate clients. Can he really be that clueless about the fact that there is no such thing as privacy online?

What has always astounded me about Snowden's claims is that for someone who supposedly worked in computers, he was remarkably stupid about privacy in the first place. One of the first releases of information about him were the IRC chat logs that Ars Technica had. Apparently, he was under the impression that those things aren't kept or traceable. Cripes, I still have the logs from my days of running an IRC channel, and that goes back 15 years. Nothing criminal or incriminating, but just archived.

I've seen this over and over again in the younger generation, like Snowden. They're continually caught out by something they THINK is "private," despite it being posted to a public forum or an insecured personal site. The idea that you can use public transmission lines and public sites in complete privacy is something that any technologically aware person should know is complete garbage.

Which leads me to my real questions about Snowden. Just how was someone that dumb allowed to not only get a security clearance, but a pretty highly paid job is beyond me.

Actually I'm not surprised that libertarians such as Snowden are making false claims about the government while at the same time giving a pass to corporations on the exact same issues. What is more surprising to me is how fast some mainstream liberals jumped on the Snowden bandwagon. By doing it they provided right-wing libertarians such as Rand Paul with some credibility on national security issues. This political alignment between liberals and libertarians on national security issues represents in my view a dangerous shift in American politics.